Sen. Warner: Mandatory Standards Critical for IoT Security

Following the release of a report to President Trump on the increasing threat of botnets, Sen. Mark Warner, D-Va., said Thursday that the government is not doing enough to force the private sector to build better security into Internet of Things (IoT) devices.

“This report concludes that current market incentives do too little to promote security in Internet-connected products, corroborating a longstanding concern I have had with the burgeoning market of Internet of Things (IoT) devices,” Warner said in a statement. “The failure of these market forces to reward security over cost or convenience has led to devastating DDoS [distributed denial of service] attacks–like the Mirai botnet–that contribute to Internet-wide insecurity to this day.”

The report, released Wednesday by the Departments of Commerce and Homeland Security and commissioned by President Trump’s Cyber Executive Order in May 2017, said the prevalence of botnets and the automated, distributed attacks they carry out are only bound to increase with the rapidly growing number of IoT devices.

IoT devices present favorable targets to cybercriminals, and, when compromised, can be leveraged to form the botnets that carry out distributed attacks.

The botnet report called for the establishment of security baselines for IoT devices in both commercial and government environments, similar to the type of standards Warner has been advocating for in legislation he introduced in the Senate last August with Sen. Cory Gardner, R-Colo.

Warner, co-founder of the Senate Cybersecurity Caucus, said the report is further evidence that Congress needs to move quickly to make that bill law.

“I am pleased to see the Departments of Commerce and Homeland Security acknowledge that the Federal government should lead by example by requiring the acquisition of far more secure and resilient services and products,” he said. “Congress should take the next step and pass bipartisan legislation I have introduced with Sen. Gardner that would set minimum security requirements for federal procurements of IoT devices.”